Software Compatibility Matrixes

Release 3.6(x) Compatibility Matrix

Table 3, "Release 3.6(x) Compatibility Matrix" shows Clean Access Manager and Clean Access Server compatibility and the Agent version bundled with each CCA 3.6(x) release (if applicable). CAM/CAS/Agent versions displayed in the same row are compatible with one another. Cisco recommends that you synchronize your software images to match those shown as compatible in the table.

2Patch release 3.6.4.4 is a general patch release for the CAM and CAS that addresses a Cisco PSIRT issue involving caveat CSCsj33976. See Resolved Caveats - Release 3.6.4.4 for more information. In-place upgrade is not supported.

5Release 3.6.4.1 must be applied only when upgrading 3.6(x) CAM/CAS systems, and resolves caveat CSCse97903. If upgrading a 3.6(x) system, you must upgrade to 3.6.4.1. If migrating from 3.5(x) or performing a new 3.6(x) installation, you can use the 3.6(4) ISO CD and there is no need to install the 3.6.4.1 patch. See Enhancements for Release 3.6.4.1.

1Patch release 3.6.4.4 is a general patch release for the CAM and CAS that addresses a Cisco PSIRT issue involving caveat CSCsj33976. See Resolved Caveats - Release 3.6.4.4 for more information. In-place upgrade is not supported.

4Release 3.6.4.1 must be applied only when upgrading 3.6(x) CAM/CAS systems, and resolves caveat CSCse97903. If upgrading a 3.6(x) system, you must upgrade to 3.6.4.1. If migrating from 3.5(x) or performing a new 3.6(x) installation, you can use the 3.6(4) ISO CD and there is no need to install the 3.6.4.1 patch. See Enhancements for Release 3.6.4.1.

Web Browser Compatibility

•High encryption is also required for client browsers for web login and Clean Access Agent authentication.

Note Cisco NAC Appliance does not support beta versions of third-party software, except where specifically noted.

Determining the Software Version

Clean Access Manager

•From the web administration console, you can determine the version of the CAM from Administration > CCA Manager > System Upgrade. The software version and date are listed in the Current Version field.

•From an SSH connection to the machine, you can determine the version of code running on a Clean Access server image by entering: cat /perfigo/build

Clean Access Server

•From the CAM web administration console, you can determine the version of the CAS by going to Device Management > CCA Server, clicking the Manage icon for the Server in the List of Servers, then clicking the Misc tab, which displays the Update page by default. The software version and date are listed in the Current Version field.

•From an SSH connection to the machine, you can determine the version of code running on a Clean Access server image by entering: cat /perfigo/build

•From the CAS's direct access web console (https://<CAS_eth0_IP>/admin), you can determine the version of the CAS by going to Administration > Software Update.The software version and date are listed in the Current Version field.

Clean Access Agent

•From the web admin console, you can determine the version of the Clean Access Agent from either:

Enhancements for Release 3.6.4.4

Release 3.6.4.4 is a general patch release for the Clean Access Manager (CAM) and Clean Access Server (CAS) that addresses a Cisco PSIRT issue involving caveat CSCsj33976. See Resolved Caveats - Release 3.6.4.4 for more information. No new features are added.

CD Installation Instructions for 3.6.4.4

Important Information for 3.6.4.4 Upgrade

Note•Release 3.6.4.4 is applied to the Clean Access Manager and Clean Access Server(s) and is a mandatory upgrade for 3.6(x) systems.

•In-place upgrade is not supported.

•The 3.6.4.4 release incorporates all fixes in the 3.6.4.1, 3.6.4.2, 3.6.4.3, and Patch-CSCsg24153 patches. It is not necessary to apply these patches first before upgrading to 3.6.4.4, and you can upgrade directly from any 3.6(x) release.

•When upgrading from 3.6(x) to 3.6.4.4, you can perform webconsole upgrade of standalone 3.6(x) CAM/CAS machines if the following conditions are met:

Enhancements for Release 3.6.4.3

Release 3.6.4.3 is a general and important bug fix release and patch for the Clean Access Manager (CAM) and Clean Access Server (CAS) that resolves the caveats described in Resolved Caveats - Release 3.6.4.3 and adds the following enhancements.

Important Information for 3.6.4.3 Upgrade

Note•Release 3.6.4.3 is applied to the Clean Access Manager and Clean Access Server(s) and is a mandatory upgrade for 3.6(x) systems.

•Release 3.6.4.3 is an upgrade-only patch. CD install and in-place upgrade are not supported.

•Your CAM/CAS must already be running 3.6(x) to upgrade to release 3.6.4.3. If running 3.5(x) or below, you must perform in-place upgrade to 3.6(4) before you can upgrade to 3.6.4.3.

•The 3.6.4.3 release incorporates all fixes in the 3.6.4.1, 3.6.4.2, and Patch-CSCsg24153 patches. It is not necessary to apply these patches first before upgrading to 3.6.4.3, and you can upgrade directly from any 3.6(x) release.

•When upgrading from 3.6(x) to 3.6.4.3, you can perform webconsole upgrade of standalone 3.6(x) CAM/CAS machines if the following conditions are met:

Supported AV/AS Product List Enhancements (Version 48)

Enhancements for Release 3.6.4.2

Release 3.6.4.2 is a general and important bug fix release and patch for the Clean Access Manager (CAM) only that resolves the caveats described in Resolved Caveats - Release 3.6.4.2. No new features are added.

Note•The 3.6.4.2 patch is applied to the Clean Access Manager only.

•The 3.6.4.2 patch is a mandatory patch for the 3.6.4.1 and all prior 3.6(x) CAMs. To apply the patch:

–If you are running 3.6.4.1, you can apply the 3.6.4.2 patch directly to your CAM.

–If you are running 3.6(4) on a system that was upgraded to 3.6(4) from 3.5(x), 3.6(0) or 3.6(1) using a CD, you can apply the 3.6.4.2 patch directly to your CAM.

–If you are running 3.6(4) on a system that was upgraded to 3.6(4) from 3.6(2) or 3.6(3), then you must first apply the 3.6.4.1 patch to your CAM prior to applying the 3.6.4.2 patch. NOTE: This is an important step that must be performed manually-the 3.6.4.2 patch does not apply any updates/fixes contained in the 3.6.4.1 patch.

–If you are running 3.6(0) or 3.6(1) or 3.6(2) or 3.6(3), you must apply the 3.6.4.1 patch to your CAM prior to applying the 3.6.4.2 patch. NOTE: This is an important step that must be performed manually-the 3.6.4.2 patch does not apply any updates/fixes contained in the 3.6.4.1 patch.

–If you are running 3.5(x) and want to upgrade to 3.6(x), you can upgrade to 3.6(4) using the upgrade procedure and the 3.6(4) CD, following which you can apply the 3.6.4.2 patch.

•The 3.6.4.2 patch includes a script to update all the existing ARP entries on your CAM to ensure that only the right ARP entries are present.

Step 2 If running either 3.6.4.1 or 3.6(4) on a system that was upgraded to 3.6(4) from 3.5(x), 3.6(0) or 3.6(1) using a CD, upgrade the CAM to the 3.6.4.2 patch using one of the following procedures. Carefully follow instructions to upgrade the CAM:

Step 3 If running 3.6(4) on a system that was upgraded to 3.6(4) from 3.6(2) or 3.6(3), or running 3.6(0) or 3.6(1) or 3.6(2) or 3.6(3) on your system, you must first apply the 3.6.4.1 patch to your CAM prior to applying the 3.6.4.2 patch. Refer to the instructions in Enhancements for Release 3.6.4.1 to apply the 3.6.4.1 patch, then follow the instructions in Step 2 above to apply the 3.6.4.2 patch.

Step 4 After the CAM has been upgraded to 3.6.4.2, access the console for each attached Clean Access Server (CAS) and perform service perfigo restart. (Or you can perform service perfigo reboot if preferred.) For a CAS HA-pair, it is sufficient to perform service perfigo restart on the currently active CAS.

Enhancements for Release 3.6.4.1

Release 3.6.4.1 is a general and important bug fix release and patch for the Clean Access Manager and Clean Access Server that resolves caveat CSCse97903. No new features are added.

Note•Release 3.6.4.1 must be applied only when upgrading 3.6(x) CAM/CAS systems. If upgrading your 3.6(x) system, you must upgrade to 3.6.4.1.

•If migrating from 3.5(x) or performing a new 3.6(x) installation, you can use the 3.6(4) ISO CD and there is no need to install the 3.6.4.1 patch.

•The patch must be applied to the CAS and CAM simultaneously during the same maintenance window.

Support for "Ignore" Global Device Filter for IP Phones in OOB Deployments

Release 3.6(4)+ provides a new "ignore" global device filter control which when set for the specified MAC address will ignore SNMP traps from managed switches in Out-of-Band deployments. This feature is intended to support OOB client machines connected to the network via IP phones.

Note After 3.6(4)+ upgrade, administrators should reconfigure any "allow" device filters specified for IP phones with previous CCA releases to the new "ignore" option.

Note The "ignore" option applies to OOB deployments and global device filters only. It does not apply to CAS-specific filters, and for IB deployments this option has no effect.

This new feature enhances the following web admin console page:

•Device Management > Filters > New/Edit (new "ignore" option)

Clean Access Agent (3.6.4.0)

Version 3.6.4.0 of the Clean Access Agent provides the following enhancements:

•Support for new TrendMicro, Sophos and Grisoft AV/AS products.

•Version 3.6.4.0 adds support for IE 7 Beta 3.

Note Support for any future IE 7 releases will only be added after testing and certification has been performed on those releases.

OOB Page Redirection Timers (SNMP Receiver Advanced Settings)

When configuring OOB for web login users, release 3.6(3) provides new "Redirection Delay with/without Bouncing" options for additional control of webpage redirection intervals (to allow time for port bouncing or to minimize redirection time if no port bouncing is required). This allows the port to be bounced after a configured interval, and the page to be redirected after another configured interval. The total of these configured intervals then becomes the redirection interval experienced by the user after login, by default 20 seconds when the port is bounced. The client will then be on the Access VLAN.

•When the port is not bounced, the total redirection interval that the user experiences is the value of the Redirection Delay without Bouncing field.

•When the port is bounced, the total redirection interval that the user experiences is the sum of 2 fields: Redirection Delaywith Bouncing and Port Bounce Interval.

Authentication Cache Timeout

For performance reasons, the Clean Access Manager caches the authentication results from user authentication for 2 minutes by default. Release 3.6(3) provides a new "Authentication Cache Timeout" control on the Auth Server list page that allows administrators to configure the number of seconds the authentication result will be cached in the CAM. When a user account is removed from the authentication server (LDAP, RADIUS, etc), administrators can restrict the time window a user can login again into CCA by configuring the Authentication Cache Timeout.

API Enhancements

The Clean Access API for your Clean Access Manager is accessed from a web browser as follows: https://<cam-ip-or-name>/admin/cisco_api.jsp. With release 3.6(3), the Cisco Clean Access API utility script, cisco_api.jsp, provides the following enhancements:

New APIs:

•kickuserbymac — Removes in-band logged in user(s) by MAC address. For multiple users, you can specify a comma-separated list of MAC addresses.

•changeloggedinuserrole - Change in-band user access permissions by modifying a user's logged in role to the specified role. For multiple users, you can specify a comma-separated list of IP addresses.

Enhanced APIs:

•changeuserrole— With 3.6.3+, change in-band user access permissions by removing the user from the Online Users list and adding the user's MAC address to the Device Filters with new specified role. (Note: For 3.6(2) and prior, this function only changes the logged in user's role.)

•kickoobuser—Removes logged-in out-of-band user(s). With 3.6(3)+ you can specify a comma-separated list of IP addresses to remove multiple users.

•kickuser— Removes logged-in in-band user(s). With 3.6(3)+ you can specify a comma-separated list of IP addresses to remove multiple users.

New "service perfigo maintenance" CLI Command for CAS

Release 3.6(3) provides a new service perfigo maintenance CLI command that can be issued on the CAS machine to maintain network connectivity when bringing the CAS into maintenance mode. In maintenance mode, only the basic CAS router runs and continues to handle VLAN-tagged packets. The new command allows communication through the management VLAN to the CAS, and is intended for environments where the CAS is in trunk mode and the native VLAN is different than the management VLAN. This command provides a better alternative to the service perfigo stop command, which when issued and the management VLAN is set, causes the CAS to lose network connectivity.

Note service perfigo maintenance is available on the CAS CLI only (does not apply to CAM).

Note•The 3.6.2.2 patch is a required upgrade for all HA-CAM systems running 3.6.2.1 or 3.6(2). Customers currently running 3.6(2) on HA-CAMs must upgrade to 3.6.2.1 then 3.6.2.2 to apply this patch.

•The 3.6.2.2 patch is not required for customers running 3.6(2)/3.6.2.1 on standalone (non-HA) CAMs. However, it is recommended to apply the patch to keep your system current should you have a future need to configure your CAMs for HA.

•This patch is a CAM-only patch. The 3.6.2.2 patch can only be applied to CAM systems running 3.6.2.1. It cannot be applied to 3.6.2.1 CAS systems. After applying this patch the CAM version will be 3.6.2.2, and the CAS version remains 3.6.2.1.

a. Access the Primary CAM by opening the web console for the Primary's IP address.

b. Access the Secondary CAM by opening the web console for the Secondary's IP address.

The web console for the inactive CAM will only display the CCA Manager module menu. Future references in these instructions that specify "active" or "inactive" refer to the results of this test as performed at this time.

Note The CAM configured as HA-Primary may not be the currently Active CAM.

Step 4 On the inactive CAM, untar the upgrade file:

cd /store

tar xvzf cam-3.6.2.1-to-3.6.2.2-upgrade.tar.gz

Step 5 Cd to the untarred upgrade directory:

cd cam_upgrade_3.6.2.2/

Step 6 Run the upgrade:

./UPGRADE.sh

Step 7 Run the following command on the inactive CAM only:

service perfigo restart

Step 8 On the active CAM, untar the upgrade file:

cd /store

tar xvzf cam-3.6.2.1-to-3.6.2.2-upgrade.tar.gz

Step 9 Cd to the untarred upgrade directory:

cd cam_upgrade_3.6.2.2/

Step 10 Run the upgrade:

./UPGRADE.sh

Step 11 This completes the upgrade. No "service perfigo restart" is needed on the active CAM.

Upgrade Instructions for 3.6.2.2 (Standalone CAM Only)

The 3.6.2.2 patch is not required for customers running 3.6(2)/3.6.2.1 on standalone (non-HA) CAMs. However, it is recommended to apply the patch to keep your system current should you have a future need to configure your CAMs for HA. You may use either SSH or web upgrade procedures to apply the 3.6.2.2 patch to a standalone CAM system only. Carefully review the instructions described in Upgrade Instructions for 3.6(x) Minor Releases and Patches prior to upgrading your CAM.

Note After 3.6.2.2 patch upgrade, no automatic reboot occurs on the CAM and no reboot is required.

Enhancements for Release 3.6.2.1

Release 3.6.2.1 is a general and important bug fix release and patch for the Clean Access Manager and Clean Access Server that resolves caveat CSCsd74376. No new features are added. See Upgrade Instructions for 3.6.2.1 for how to apply this patch.

Note If you are using Broadcom 5702/5703/5704 NIC cards in your CAM/CAS servers, refer to the instructions described in Known Issues with Broadcom NIC 5702/5703/5704 Chipsets prior to upgrading to release 3.6.2.1. Server models with Broadcom 5702/5703/5704 NIC cards may include: Dell PowerEdge 850, CCA-3140-H1, HP ProLiant DL140 G2/ DL360/DL380.

Note•The 3.6.2.1 patch is a required patch for all 3.6(2) systems. All customers running 3.6(2) should apply this patch.

•The 3.6.2.1 patch can only be applied to 3.6(2) systems.

•Customers running 3.6.0 and 3.6.1 with Clean Access Servers affected by caveat CSCsd74376 must first upgrade to 3.6(2), then perform 3.6.2.1 patch upgrade.

•The patch must be applied to the CAS and CAM simultaneously during the same maintenance window.

•Web upgrade is recommended to upgrade from release 3.6(2) to 3.6.2.1.

CE500 Support Enhancement

When the Cisco Catalyst Express 500 Series (CE500) is added to the Clean Access Manager as a managed switch, it will use linkup/linkdown SNMP trap notification by default. With release 3.6(2) and above, the CE500 can be configured to use mac-notification traps using the Advanced configuration page for the switch (under Switch Management > Devices > List > Config [Switch IP] > Config > Advanced).

Note If running an IOS version lower than 12.2(25) SEG, the switch ports of the CE500 must be assigned to the OTHER role (not Desktop or IP phone) on the switch's Smartports configuration, otherwise, mac-notification will not be sent out. See also Supported Switches for Cisco NAC Appliance.

Heartbeat Timer Enhancements for L3 Deployments

With release 3.6(2) and above, the Heartbeat Timer behaves as inactivity/idle timer for L3 deployments in addition to L2 deployments. For L2 deployments, there is no change in Heartbeat Timer function.

For L3 deployments, the Heartbeat Timer now behaves as described in the following cases:

•L3 deployments where routers do not perform proxy ARP:

If the Clean Access Servers sees no packets from the user for the duration of time that the heartbeat timer is set to, then the user will be logged out. Even if the user's machine is connected to the network but does not send a single packet on the network that reaches the CAS, it will be logged out. Note that this is highly unlikely because modern systems send out many packets even when the user is not active (e.g. chat programs, Windows update, AV software, ads on web pages, etc.)

•L3 deployments where the router/VPN concentrator performs proxy ARP for IP addresses on the network:

In this scenario, if a device is connected to the network the router will perform proxy ARP for the device's IP address. Otherwise, if a device is not connected to the network, the router does not perform proxy ARP. Typically only VPN concentrators behave in this way. In this case, if the Clean Access Server sees no packets, the CAM/CAS attempts to perform ARP for the user. If the router responds to the CAS because of proxy ARP, the CAM/CAS will not logout the user. Otherwise, if the router does not respond to the CAS, because the device is no longer on the network, the CAM/CAS will log out the user.

•L3 deployments where the router/VPN concentrator performs proxy ARP for the entire subnet:

In this scenario, the router/VPN concentrator performs proxy ARP irrespective of whether individual devices are connected. In this case, the Heartbeat Timer behavior is unchanged, and the CAM/CAS never log out the user.

CAM SSH Upgrade Enhancements

When upgrading the CAM from release 3.6(x) to release 3.6(2) and above, the SSH upgrade script provides an additional prompt to choose whether or not to upgrade the Clean Access Agent files inside the Clean Access Manager. Choosing Yes upgrades the Agent Setup Installation and Patch Installation files to the latest Agent version bundled with the release (for example, Agent 3.6.2.0 for release 3.6(2)). Choosing No leaves the original Agent Setup and Patch Installation files that were on your CAM prior to upgrade.

Note Once release 3.6(2) is installed on the CAM/CAS, an "Upgrade Agent" checkbox option will be displayed on the CAM web console when performing web upgrade to a future release.

Support Log and Log Level Enhancements

With release 3.6(2) and above, log level controls are added to the Support Logs pages of the CAM web console and CAS direct access web console to facilitate setting the level of various loggers on the CAM/CAS for troubleshooting purposes. This enhancement affects the following web console pages:

RADIUS "Malformed Packets" Option Enhancement

The RADIUS "malformed packets" option is improved to authenticate the user properly even if the RADIUS packet is malformed due to empty attributes only.

The name of the option is changed from "Allow Badly Formed RADIUS Packets" to "Accept RADIUS packets with empty attributes from some old RADIUS servers." This affects the following CAM web console pages:

VPN SSO Troubleshooting Enhancement

An additional "Active VPN Clients" page is added to the CAS management pages and CAS direct access console to list IP addresses known to the CAS through VPN Single Sign-On (SSO). This affects the following web console pages:

Support for Solaris OS for Web Login Users

Support for the Solaris operating system is added to web console pages where OS is used as one of the selection attributes (e.g. web login, scan setup, general setup pages). This affects the following web console pages:

Unauthenticated Role Enhancement

The unauthenticated role is denoted as "Unauthenticated Role (not common)" in the User Role selection dropdown menus for network scanning-related pages of the Clean Access module. This enhancement is intended to remind administrators not to configure the unauthenticated role for these pages, unless there is a special need to assign a user to this role after authentication.

CAM File Upload Enhancements

With release 3.6(2) and above, the location of files uploaded to the Clean Access Manager using Administration > User Pages > File Upload is changed from /perfigo/control/tomcat/normal-webapps/admin to /perfigo/control/tomcat/normal-webapps/upload in the CAM. This enhancement requires that new files uploaded to the CAM are specified using URL format https://<CAM_IP>/upload/file_name.htm when configuring user pages that reference these files.

Note•Files uploaded to the CAM prior to 3.6(2)+ continue to be located under /perfigo/control/tomcat/normal-webapps/admin and are still referenced by https://<CAM_IP>/admin/file_name.htm.

Client Web Login Page Enhancement

With release 3.6(2)+, the client web login page sets the Username field as the initial insertion point, and accepts the Enter key when users submit login credentials. The user can immediately type their username and password then press the Enter key to get the login result. In prior releases, the user needed to move the pointer to the Username field, type credentials, then click the Continue button to submit credentials, and the Enter key was not accepted.

Clean Access Agent Enhancements (3.6.2.0)

Version 3.6.2.0 of the Clean Access Agent provides the following enhancements:

Note•The 3.6.1.1 patch is a recommended patch for all 3.6.x-to3.6.1 upgraded systems. All customers who have upgraded from 3.6.x to 3.6(1) should apply this patch. New 3.6(1) installations, and systems that have been migrated from 3.5(9) to 3.6(1) are not affected and do not need to upgrade to this patch release.

•This patch will run only on 3.6(1) systems.

•The patch must be applied to the CAS and CAM simultaneously during the same maintenance window. This is to ensure users cannot download the Clean Access Agent in the interim before it is properly synchronized between the CAM and the CAS.

•Web upgrade is recommended to upgrade from release 3.6(1) to 3.6.1.1.

MAC Address Wildcard Support for Device Filters

Release 3.6(1) provides the ability to specify wildcards and ranges in device filter entries to allow administrators to specify a single entry for a whole range of devices, for example: "00:01:4A:* Sony-Playstations". This new feature affects the following web console pages:

NAT Session Throttle

Release 3.6(1) provides the ability to set up throttles/threshold on a per-host basis when the CAS is running as a NAT Gateway. This allows the CAS to restrict the total number of connections per host, thereby eliminating the chance of one host consuming all the connections. This affects the following web console page:

New Hardware Driver Support (tg3)

Release 3.6(1) provides a new tg3 driver that resolves the release 3.6(0) Broadcom NIC workaround (IPMI feature had to be disabled) specified in caveat CSCsd08348. With this new driver, VLAN tags are retained and the need to disable the IPMI feature using the Broadcom utility is eliminated.

Note If upgrading to release 3.6(1), you do NOT need to use the Broadcom utility, but performance will not be affected if IPMI settings have already been changed.

CAS HA (Failover) UI Enhancements

For an HA-Primary Mode or HA-Standby Mode Clean Access Server, the Disable Serial Login feature is now presented as a checkbox option to display the current status of serial login on the CAS direct access console. This affects the following page:

CAS IP Page UI Enhancement

The L3 support checkbox is changed from "Enable L3 support for Clean Access Agent" to "Enable L3 support" on the CAS IP page to more accurately reflect the setting. For multi-hop L3 in-band deployments, this setting enables/disables L3 discovery of the CAS for both web login users and Clean Access Agent users at the CAS level. This affects the following web console page:

OOB Handling of Trunk Native VLAN

Release 3.6(1), when deployed for Out-of-Band provides support for Cisco IP Phone deployments where the port is a trunk port and the native VLAN is the data VLAN.

Note Because Cisco Clean Access can control switch trunk ports for OOB in release 3.6(1), please ensure the uplink ports for controlled switches are configured as "uncontrolled" ports after upgrade. This can be done in one of two ways:

This will prevent unnecessary issues when the Default Port Profile for the switch has been configured as a managed/controlled port profile.

This affects the following web console page:

•Switch Management > Devices > Switches > List > Ports [Switch IP]

Separation of In-Band VLAN and OOB VLAN in User Role

Release 3.6(1) provides the ability to separate in-band and out-of-band VLANs when specifying VLAN assignment via the user role. This allows administrators to use the same system user role in cases where different Clean Access Servers - one inband and the other OOB - are being used and different VLANs need to be applied for in-band versus out-of-band users in the role. This affects the following web console pages:

•User Management > User Roles > New Role

•User Management > User Roles > List of Roles | Edit Role

OOB Port Profile Page Enhancement

The Port Profile page layout is enhanced to be more user-friendly and now includes the ability to switch a machine to either a User Role-based VLAN or Initial Port VLAN if the device is certified and not on the Out-of-Band Online User List. This affects the following web console pages:

•Switch Management > Profiles > Port > New

•Switch Management > Profiles > Port > List | Edit Profile

Traffic Policy Port Range Enhancements

Release 3.6(1) provides the ability to specify individual ports, a port range, a combination of ports and port ranges, or wildcards when configuring IP-based traffic policies. For example, the interface now allows specifying port values such as: "*" or "21, 1024-1100" to cover multiple ports in one policy. Previously, one port needed to be specified per policy. This reduces the number of policies that need to be configured to achieve the same effect. This enhancement affects the following web console pages:

•User Management > User Roles > Traffic Control > IP > Add Policy

•User Management > User Roles > Traffic Control > IP > Edit Policy

Auth Server and CAS Status Page Modifications

The "802.1x Filter" entry is removed from the Status tab of the CAS management pages and "Transparent 802.1x" is removed from the Authentication Type dropdown menu of the New Auth Server configuration page. This affects the following web console pages:

Clean Access Agent New Requirement Page Enhancement

Notes for AV and AS vendors are moved up to the Vendor Name dropdown menu, and the table title is changed from "Products" to "Product versions supported for Update via Clean Access Agent" for the New Requirements page. This affects the following web console page:

Clean Access Agent Enhancements (3.6.1.0)

•The Clean Access Agent can now be run by a restricted user on the local machine (user is not an administrator or power user). Administrator privileges are still necessary to perform the initial Agent installation.

•The event.log file used for Agent debug logging is now stored in the user's home directory (e.g. C:\Documents and Settings\<username>\Application Data\CiscoCAA\event.log) instead of the Agent installation directory, and the path of the registry key changes to HKEY_CURRENT_USER. See Enable Debug Logging on the Clean Access Agent for details.

Note It is not recommended to upgrade the Agent from version 3.5.11 to 3.6.0.0 or 3.6.0.1. There may be issues with the uninstall/install procedure with selective files not being upgraded correctly or subsequent uninstalls failing. If you are using 3.5.11, it is recommended that you upgrade directly to the 3.6.1.0 Agent (bundled with Cisco Clean Access release 3.6(1)). For details, see caveat CSCsd28300

Servers with Broadcom NIC controllers, upon installing/upgrading to 3.6.0/3.6.0.1, may demonstrate issues with networks where VLAN tags are of importance. Cisco has made instructions available to modify a setting on Broadcom controllers to address the issue. See CSCsd08348 for complete details.

•If you have existing users, test the ED release in your lab environment first and complete a pilot phase prior to production deployment.

Note Your production license will reference the MAC address of your production CAM. When testing on a different box before upgrading your production Clean Access environment, you will need to get a trial license for your test servers. For details, see "How to Obtain Evaluation Licenses" in Cisco NAC Appliance Service Contract/Licensing Support.

•Do not upgrade to release 3.6(0) if you are currently using Monitoring > SNMP traps from the Clean Access Manager.

Important Notes for Nessus Plugins with 3.6(0) Upgrade

When upgrading to 3.6(0), and using network scanning (Nessus) plugins for any specified client OS, be sure to enable the same plugins in the "ALL" OS category (and deselect "Enable scanning with selected plugins" for the "ALL" OS category, if applicable). This will prevent users from being quarantined with no way to remediate or be removed. This issue is resolved in release 3.6.0.1 of Cisco Clean Access. See caveat CSCsc82522 for details.

New Features and Enhancements in Release 3.6(0)

This section details the new features delivered with release 3.6(0) of the Cisco Clean Access Manager and Cisco Clean Access Server, as well as enhancements from release 3.5(8).

Support for CCA-3140-H1

The CCA-3140-H1 is an affordable 1U, 1 Xeon 2.8GHz CPU Intel processor server equipped with features that provide customers with a platform for Cisco Clean Access Manager or Server deployment.

Expanded Support for RAID/SATA Hardware

Release 3.6(0) of Cisco Clean Access (NAC Appliance) provides support for the following:

•RAID controller support

•SATA servers

•SCSI controller support

Preconfigured Checks for Anti-Spyware Software

With release 3.6, Cisco Clean Access expands and adds new Clean Access Agent-based support for the detection of Anti-Spyware (AS) software and subsequent checking of AS application status. As with Antivirus product support, this is achieved through communicating with the installed Anti-Spyware software (if there is any installed AS software) through an API on the client device.

Administrators will be able to test for the existence of anti-spyware or spyware blocker software on clients, as well as if those products are up-to-date. Cisco Clean Access Agent Updates will incorporate the latest revisions of AS product support into the newly-combined Supported AV/AS Product List, providing support for 17 new AS vendors, in addition to support for 21 AV product vendors. See Expanded AV/AS Product List (Version 22) for details.

Support for AV/AS Definition Files to be Older than Current System Date

Release 3.6(0) introduces the ability to configure AV Virus Definition rules and AS Spyware Definition rules to allow definition files to be any number of days older than the latest file date or current system date.

Note For AS Spyware Definition rules, the system will enforce this feature (allowing the definition files to be X days older then the current system date) until Cisco Update service is available to regularly update the date/version for Spyware definition files.

Enhanced OS Fingerprinting

By default, the system uses the User-Agent string from the HTTP header to determine the client OS. Release 3.6.0 provides additional detection options to include using the platform information from JavaScript, or OS fingerprinting from the TCP/IP handshake to determine the client OS. This feature is intended to prevent users from changing identification of their client operating systems through manipulating HTTP information. Note that this is a "passive" detection technique (accomplished without Nessus) that only inspects the TCP handshake and is not impacted by the presence of a personal firewall.

Enhanced L2 Strict Mode User Support (Agent Only)

With release 3.6(0) CAM/CAS and 3.6.0.0 Agent, administrators can restrict Clean Access Agent clients to be connected to the Clean Access Server directly as their only gateway using the "Enable L2 strict mode for Clean Access Agent."

When this feature is enabled, the Clean Access Agent will send the MAC addresses for all interfaces on the client machine with the login request to the CAS. The CAS then checks this information to ensure no NAT exists between the CAS and the client. The CAS verifies and compares MAC addresses to ensure that the MAC address seen by the CAS is the MAC address of the Agent client machine only. If user home-based wireless routers or NAT devices are detected between the client device and the CAS, the user is not allowed to log in. With release 3.6(0), administrators have the following options:

•Enable L3 support for Clean Access Agent —The CAS allows all users from any hops away.

•Enable L2 strict mode for Clean Access Agent — The CAS does not allow users who are more than one hop away from the CAS. The user will be forced to remove any router between the CAS and the user's client machine to gain access to the network.

•Both options left unchecked (Default setting)— The CAS performs in L2 mode and expects that all clients are one hop away. The CAS will not be able to distinguish if a router is between the CAS and the client and will allow the MAC address of router as the machine of the first user who logs in and any subsequent users. Checks will not be performed on the actual client machines passing through the router as a result, as their MAC addresses will not be seen.

Note•Enabling or disabling L3 or L2 strict mode ALWAYS requires an Update and Reboot of the CAS to take effect. Update causes the web console to retain the changed setting until the next reboot. Reboot causes the process to start in the CAS.

•L3 and L2 strict options are mutually exclusive. Enabling one option will disable the other option.

Agent Patch File Upload

Release 3.6(0) now supports uploading of the Agent Patch Upgrade file (upgrade.tar.gz) in addition to the Agent Setup Installation File (setup.tar.gz) through the same Distribution page interface control. This feature allows administrators to revert to a previous patch upgrade file for distribution. Previously, only setup installation files for new installations of the Clean Access Agent could be reverted to prior versions.

This feature is only available for release 3.6(0) and above and Clean Access Agent version 3.6.0.0 or above.

Caution Because the CAM differentiates the Agent setup and upgrade file types by filename, it is mandatory for users to retain the same names used for the files on Cisco Secure Downloads, for example, CCAAgent
Setup-3_6_0_0.tar.gz or CCAAgent
Upgrade-3_6_0_0.tar.gz.

Clean Access Agent (3.6.0.0)

•Version 3.6.0.0 and above of the Clean Access Agent supports the new Anti-Spyware (AS) integration provided with release 3.6(0).

•The 3.6.0.0 Agent adds a new dialog screen to show all of the AV and AS products installed on the client machine. Right-clicking the Agent icon in the system tray (taskbar menu) and selecting Properties will display the installed AV/AS product details for the client machine.

SSL Certificate Chain is Verified Before Installation

Release 3.6(0) now verifies the SSL certificate chain before installing certificates on the CAM and CAS. Cisco Clean Access will not allow installation of an unverifiable certificate chain, and only restarts CAM/CAS web service after the entire certificate chain is verified and installed. This enhancement removes the need to import certificates in a certain sequence (as was necessary for prior releases), as certificates are imported to a temporary store first before being verified and installed. This feature is also intended to support administrators using intermediate signing authorities, in cases where several intermediate certificates may need to be imported. When importing any of the following:

•Private key from backup

•CA-signed certificate

•Intermediate root certificates

The CAM/CAS will place these into a temporary store, verify the certificate chain, install the uploaded certificates, and only restart CAM and CAS web service if the verification and installation of uploaded certificates is successful.

Page layouts have been enhanced for certificate forms, and Private Key and Installed Certificate Details can now be viewed from individual popups on the Import Certificate and Export Certificate forms, respectively.

In addition, the following notes are added to the Import Certificate form on the CAS management pages and CAS direct access web console:

(* "Trust Non-Standard CA" is for communication between the Clean Access Manager and Clean Access Server. If the Clean Access Manager cert is signed by a CA that is not well known, import the CA cert here to have it accepted. Clean Access Server must be rebooted to take effect.)

The following note is added to the Import Certificate form on the CAM SSL Certificate tab:

(* Non-Standard CA is for SSL communication between the Clean Access Manager and some authentication servers, e.g. LDAP Server.)

Ports Changed for CAM/CAS Connectivity Across Firewall

The Clean Access Manager uses RMI for parts of its communication with the Clean Access Server, which means it uses dynamically allocated ports for this purpose. For customer deployments that have firewalls between the CAS and the CAM, Cisco recommends setting up rules in the firewall that allow communication between the CAS and CAM machines, that is, a rule that allows traffic originating from the CAM destined to the CAS (and vice versa).

In release 3.6, the port range is changed to TCP 8995~8996.

For release 3.6, TCP ports 80, 443, 1099, and 8995~8996 are required.

Maximum Simultaneous Connections Supported in NAT Gateway Mode

In release 3.6, ports 20000-65535 are used for NAT Gateway mode, supporting a maximum of 45,536 simultaneous connections.

Nessus 2.2 Plugin Support

With release 3.6(0) and above, you can use Nessus 2.2 plugins to perform network scanning in Cisco Clean Access. The filename of the uploaded Nessus plugin archive must be plugins.tar.gz.

Note that most Nessus 2.2 plugins are backwards compatible with Nessus 2.0. Plugins not compatible with Nessus 2.2 can be updated by uploading a new plugins.tar.gz archive.

Network Scanner (Nessus) Page Enhancements

Enhancements to the Plugins page layout greatly improve GUI response time when selecting Nessus plugins and move the "Show [Selected] Plugins" dropdown to the bottom of the page. The Nessus plugin Options page layout is also enhanced to differentiate Category from Preference Name dropdown menus, and Enable checkbox, if applicable.

These enhancements affect the following pages of the CAM web console, respectively:

General Setup Page Enhancements

Clean Access Supported AV/AS Product List

This section describes the Supported AV/AS Product List that is downloaded to the Clean Access Manager via Device Management > Clean Access > Clean Access Agent > Updates for AS and AV integration support in release 3.6(x). The Supported AV/AS Product List is a versioned XML file distributed from a centralized update server that provides the most current matrix of supported AV/AS vendors and product versions used to configure AV/AS Rules and AV/AS Definition Update requirements.

The Supported AV/AS Product List contains information on which AV/AS products and versions are supported in each Clean Access Agent release and CAM/CAS release along with other relevant information. It is updated regularly to bring the relevant information up to date and to include newly added products for new releases. Cisco recommends that you keep your list current, especially when you upload a new Agent Setup version or Agent Patch version to your CAM. Having the latest Supported AV/AS list ensures your AV/AS rule configuration pages list all the new products supported in the new Agent.

The charts show which AV/AS product versions support virus or spyware definition checks and automatic update of client virus/spyware definition files via the user clicking the Update button on the Clean Access Agent.

For a summary of what has changed from version to version of the Supported AV/AS Product List or Clean Access Agent, see also:

Note Where possible, it is recommended to use AV/AS Rules mapped to AV/AS Definition Update Requirements when checking for antivirus/antispyware software on clients. In the case of a non-supported AV/AS product, or if an AV/AS product/version is not available through AV/AS Rules, administrators always have the option of using Cisco provided pc_ checks and pr_rules for the AV or AS vendor or of creating their own custom checks, rules, and requirements through Device Management > Clean Access > Clean Access Agent (use New Check, New Rule, and New File/Link/Local Check Requirement). See the Cisco Clean Access (NAC Appliance) Manager Installation and Administration Guide, Release 3.6 for configuration details.

Note that Cisco Clean Access works in tandem with the installation schemes and mechanisms provided by supported AV/AS vendors. In the case of unforeseen changes to underlying mechanisms for products by AV/AS vendors, the Cisco Clean Access team will upgrade the Supported AV/AS Product List and/or Clean Access Agent in the timeliest manner possible in order to support the new AV/AS product changes. In the meantime, administrators can always use the "custom" rule workaround for the AV/AS product (such as pc_checks/pr_ rules) and configure the requirement for "Any selected rule succeeds."

1"Yes" in the AV Checks Supported columns indicates the Agent supports the AV Rule check for the product starting from the version of the Agent listed in parentheses (CAM automatically determines whether to use Def Version or Def Date for the check).

2The Live Update column indicates whether the Agent supports live update for the product via the Agent Update button (configured by AV Definition Update requirement type). For products that support "Live Update," the Agent launches the update mechanism of the AV product when the Update button is clicked. For products that do not support this feature, the Agent displays a message popup. In this case, administrators can configure a different requirement type (such as "Local Check") to present alternate update instructions to the user.

3For Symantec Enterprise products, the Clean Access Agent can initiate AV Update when Symantec Antivirus is in unmanaged mode. If using Symantec AV in managed mode, the administrator must allow/deny managed clients to run LiveUpdate via the Symantec management console (right-click the primary server, go to All Tasks -> Symantec Antivirus, select Definition Manager, and configure the policy to allow clients to launch LiveUpdate for agents managed by that management server.) If managed clients are not allowed to run LiveUpdate, the update button will be disabled on the Symantec GUI on the client, and updates can only be pushed from the server.

1"Yes" in the AV Checks Supported columns indicates the Agent supports the AV Rule check for the product starting from the version of the Agent listed in parentheses (CAM automatically determines whether to use Def Version or Def Date for the check).

2The Live Update column indicates whether the Agent supports live update for the product via the Agent Update button (configured by AV Definition Update requirement type). For products that support "Live Update," the Agent launches the update mechanism of the AV product when the Update button is clicked. For products that do not support this feature, the Agent displays a message popup. In this case, administrators can configure a different requirement type (such as "Local Check") to present alternate update instructions to the user.

3For Symantec Enterprise products, the Clean Access Agent can initiate AV Update when Symantec Antivirus is in unmanaged mode. If using Symantec AV in managed mode, the administrator must allow/deny managed clients to run LiveUpdate via the Symantec management console (right-click the primary server, go to All Tasks -> Symantec Antivirus, select Definition Manager, and configure the policy to allow clients to launch LiveUpdate for agents managed by that management server.) If managed clients are not allowed to run LiveUpdate, the update button will be disabled on the Symantec GUI on the client, and updates can only be pushed from the server.

1"Yes" in the AS Checks Supported columns indicates the Agent supports the AS Rule check for the product starting from the version of the Agent listed in parentheses (CAM automatically determines whether to use Def Version or Def Date for the check).

2The Live Update column indicates whether the Agent supports live update for the product via the Agent Update button (configured by AS Definition Update requirement type). For products that support "Live Update," the Agent launches the update mechanism of the AS product when the Update button is clicked. For products that do not support this feature, the Agent displays a message popup. In this case, administrators can configure a different requirement type (such as "Local Check") to present alternate update instructions to the user.

AV Chart (Windows XP/2000): support added for the following new products:

•AOL Safety and Security Center Virus Protection, 1.x

•Microsoft Windows OneCare Live, 0.8.x

•Rising Antivirus Software AV, 17.x

•Rising Antivirus Software AV, 18.x

•F-Prot for Windows, 3.16x

•Dr.Web, 4.33.x

•BitDefender 9 Internet Security AntiVirus, 9.x

AS Chart (Windows XP/2000)—support added for the following new products:

•Microsoft AntiSpyware, 1.X

•AOL Safety and Security Center Spyware Protection, 2.x

•CA eTrust Internet Security Suite AntiSpyware, 5.x

•CA eTrust PestPatrol, 5.x

•Ad-Aware SE Professional, 1.x

•Ad-Aware SE Professional, 1.x

•Spyware Begone V7.30, 7.30.x

•Spyware Begone V7.40, 7.40.x

•Webroot Spy Sweeper Enterprise Client, 2.x

Note If planning to support Microsoft AntiSpyware 1.X, use the 3.6.1.0+ Agent. Microsoft AntiSpyware 1.X support is removed for 3.6.0.0/3.6.0.1 Agents.

AV Chart (Windows ME/98) — No changes

Release 3.6.0.1 —3.6.0.1 Agent

Version 27

No changes to support charts for 3.6.x.x Agents.

Version 26

AV Chart (Windows XP/2000): support added for the following new products:

•F-Prot for Windows, 3.16c

•F-Prot for Windows, 3.16d

•Kaspersky Anti-Virus Personal Pro, 5.0.x

•Microsoft Windows OneCare Live, 0.8.x

•WebAdmin Client Antivirus, 3.x

Version 25

AS Chart (Windows XP/2000)—Removed support of the virus def date check for AVG Free Edition 7.x

Version 24

Minor internally used data change.

Version 23

AS Chart (Windows XP/2000) —Removed live update support for Spyware Doctor 3.2, 3.x

Release 3.6(0) —3.6.0.0 Agent

Version 22

Removed entry for CA eTrust PestPatrol, 5.x

Version 21

AS Chart (Windows XP/2000)—New anti-spyware product support for 17 AS vendors

AV Chart (Windows XP/2000) —Adds support for the following new products:

•AhnLab Security Pack, 2.x

•V3Pro 2004, 6.x

•avast! Antivirus, 4.x

•EarthLink Protection Control Center AntiVirus, 1.x

•Panda Titanium 2006 Antivirus + Antispyware, 5.x

•Norton Internet Security, 9.x

•SBC Yahoo! Anti-Virus, 7.x

AV Chart (Windows ME/98) — No changes

Clean Access Agent Version Summary

This section consolidates information for the Clean Access Agent client software. Table 10 lists the latest enhancements per version of the Clean Access Agent. Unless otherwise noted, enhancements are cumulative and apply both to the version introducing the feature and to subsequent versions.

Open Caveats - Release 3.6.4.4

When the user downloads the 3.5.1 or above Clean Access Agent, most security alert O/S software will indicate that the installer doesn't have a known publisher and a valid digital signature.

CSCsc40917

No

When performing 3.6.0 installation, the installer may crash if the "Back" button is chosen from the Package Group Selection screen.

CSCsc75542

No

During CD install, both CAS & CAM packages can be selected from Package Group Selection

When installing CCA from the CD, both the packages "CCA Manager" & "CCA Server" can be selected from the "Package Group Selection" for installation. On clicking "OK", the installation continues.

Workaround: User is responsible for installing onlyone package on one machine. The user must not to select either both packages or no packages.

CSCsd90433

No

Apache does not start on HA-Standby CAM after heartbeat link is restored

CSCse60519

No

Cron job to sync system time not created or updated on HA-Inactive CAM

The file /etc/cron.daily/sync-time gets created or updated on modifying the time servers for CAM. This cron file does not get created on high availability HA-Inactive CAM, thereby depriving the inactive system to sync the system time from the time servers on a regular basis. Steps to reproduce:

1. Setup CAM in HA-failover mode2. Go to web page: Administration > Clean Access Manager > System Time3. Change the time servers to "clock.cisco.com"4. Verify the changes have been reflected in cron job /etc/cron.daily/sync-time on active CAM5. Check the HA-Inactive CAM for the cron file /etc/cron.daily/sync-time. The file may either not be present or have old time server settings

Expected Results: The cron job file to sync the system time on HA-Inactive CAM should reflect the changes upon modification of time server settings on HA-Active CAM

Workaround: After modifying the time servers setting on HA-Active CAM, do a failover by shutting down the active CAM; This will make the inactive CAM take over the Service IP address; Modify the time server settings; and start the other CAM.

4. Click "Update". The CAM throws a warning announcing the current IP Range brings IP lease total up to a number that is not correct. The CAM counts the IP in the subnet twice which creates the discrepancy.

The issue does not affect DHCP functionality and is strictly known to be a cosmetic issue

CSCsi07595

No

DST fix will not take effect if generic MST, EST, HST, etc. options are specified

Due to a Java runtime implementation, the DST 2007 fix does not take effect for Cisco NAC Appliances that are using generic time zone options such as "EST," "HST," or "MST" on the CAM/CAS UI time settings.

Workaround

If your CAM/CAS machine time zone setting is currently specified via the UI using a generic option such as "EST," "HST," or "MST." change this to a location/city combination, such as "America/Denver."

Note CAM/CAS machines using time zone settings specified by the "service perfigo config" script or specified as location/city combinations in the UI, such as "America/Denver" are not affected by this issue.

Resolved Caveats - Release 3.6.4.4

Table 12 List of Closed Caveats

DDTS Number

Software Release 3.6.4.4

Corrected

Caveat

CSCsj33976

Yes

CAM displays shared secret of CCA setup when adding CAS to CAM

A vulnerability exists in the Cisco Network Admission Control (NAC) Appliance that can allow an attacker to obtain the shared secret that is used between the Cisco Clean Access Server (CAS) and the Cisco Clean Access Manager (CAM).

Cisco has released free software updates that address this vulnerability.

Resolved Caveats - Release 3.6.4.3

After viewing details on a user the agent report goes back to first page

When viewing the Cisco Clean Access Agent report, if the Administrator clicks on a specific user ID to view details, the report refreshes back to the first/welcome page.

CSCse60046

Yes

Database connection failed entry visible in CAS log files

Expected Results: Under the current architecture, CAS should never try to make a direct connection to the PostgreSQL database

CSCsf01786

Yes

/etc/grub.conf needs to be a symbolic link

In 3.6.0~3.6.3 and 4.0.0, grub.conf is not changed correctly when ttyS0 is used as the heartbeat link. Some customers manually edited /etc/grub.conf manually as a workaround, and some of them break the symbolic link by mistake. The upgrade script should make sure /etc/grub.conf is a symbolic link to /boot/grub/grub.conf

CSCsf03465

Yes

Certificate import does not delete old .tomcat.csr file

When a private key/certificate combination is imported into either the CAM or the CAS, the existing .tomcat.csr file should be deleted. Otherwise, when the CSR is exported, it will be an incorrect CSR. As a precaution, it is better to always generate a new CSR based on the current key and cert.

CSCsf18821

Yes

Heartbeat Denial-of-Service (DOS) vulnerability

Linux-HA heartbeat version older than 1.2.5 and 2.0.7 are subject to remote DOS attack. http://www.securityfocus.com/bid/19516/info

CSCsf98683

Yes

CAM does not send Class attribute in RADIUS accounting

When you configure CAM to account user login events to a Radius server and use the Class attribute to account for a particular data, Class attribute is not sent in Radius Accounting packet.

CSCsg00598

Yes

Importing CA signed Cert required re-import of private key

When you upload a CA Signed Certificate to the CAM, you are also required to import the associated private key.

CSCsg11143

Yes

validation_table only published on CAS reboot

In an HA configuration, if the active Clean Access Server (CAS1) loses connectivity with the Clean Access Manager, but does not reboot, CAS2 then becomes active server. If you then fail back to CAS1, CAS1 does not republish the intern_validation_table from the CAM's database. Instead, CAM1 repeatedly adds older entries to the validation table.

CSCsg24153

Yes

Shared secret not updated on service perfigo config

"service perfigo config" does not update shared secret in /root/.secret

When changing the shared secret in the CAS and CAM using 'service perfigo config', the shared secret between the CAM and CAS is not updated. The existing pre-shared key will remain in use.

Note This caveat and workaround apply only to releases 4.0.0 to 4.0.3.2 and 3.6.0 to 3.6.4.2.

When updating the pre-shared key using `service perfigo config' on the CLI, the script edits /root/.secret but the hash stays the same even after restarting. The shared secret is generated but is always the same constant string.

The DHCP server can repeatedly assign an IP address that another user on the network has statically assigned to a machine. The DHCP server should abandon that IP after clients repeatedly decline it.

There are two known workarounds for this bug, one is to enable the option "ping-check" and set it to "true" or "on". This will slow DHCP lease assignment and should not be used in large deployments. This workaround will not work if the user who assigned the static IP address is using a firewall. The other is to identify the network users who are statically assigning IP addresses in the DHCP range and make them stop.

CSCsg44268

Yes

Need to accommodate for new daylight savings time regime from 2007

DST is changing to March (second sunday) and November (first sunday) starting from 2007 instead of April and October.

Windows Vista should not be recognized by Agent as Windows NT in 3.5.x and 3.6.x

Although we don't support Vista in 3.5 and 3.6 branch, Vista machines should be recognized as Windows_ALL instead of Windows_NT when users log in

CSCsh15238

Yes

Memory leak in RADIUS Authentication/Accounting module

If Radius is configured as the authentication/accounting server in [User Management > Auth Server > Auth Server] or [User Management > Auth Server > Accounting], there is a slow memory leak and the system will run out of memory eventually.

Resolved Caveats - Release 3.6.4.2

Table 14 List of Closed Caveats

DDTS Number

Software Release 3.6.4.2

Corrected

Caveat

CSCsg02604

Yes

Default gateway ARP Entries for some DHCP scopes unexpectedly flushing out of the CAS ARP table.

When editing an auto-generated subnet in the subnet list tab on CAM GUI "Device Management > Manage [IP_Address] > Network > DHCP > Subnet List > Edit", any changes made to the Disabled / Enabled subnets list are committed and saved even if the update failed due to an error or warning in other input provided.

Expected Results: Either none or all the changes should be committed. The warning message must include that the requested changes are not being saved and clicking "Update" button again will save those changes in case of exceeding the recommended DHCP IP lease limit.

Resolved Caveats - Release 3.6.4.1

Table 15 List of Closed Caveats

DDTS Number

Software Release 3.6.4.1

Corrected

Caveat

CSCse97903

Yes

tg3 RPM must be unconditionally installed after upgrade of kernel RPM

When upgrading from 3.6(x) versions containing latest tg3 rpm package tg3-2.6.11-2, the tg3 driver gets overwritten by the kernel rpm. Since tg3 rpm gets updated conditionally, the tg3 driver does not get updated post kernel rpm update in those versions.

Expected Results: tg3 RPM must be unconditionally installed after upgrade of kernel RPM, which will install proper tg3 driver

Resolved Caveats - Release 3.6(4)

Table 16 List of Closed Caveats

DDTS Number

Software Release 3.6(4)

Corrected

Caveat

CSCse74152

Yes

Serial Login disabling does not work

Serial Login capability did not work as intended in any 3.6 or 4.0 branch builds. On the Clean Access Server, the "Disable Serial Login" checkbox could be enabled or disabled, and the state of the Serial Login for that server would not change. On the Clean Access Manager, the instructions described a procedure that, if followed, would not alter the state of the Serial Login for that manager.

CSCse81871

Yes

Perfigo script is not copied to /etc/init.d/perfigo in upgrade script

Perfigo script is modified to fix bug CSCse53459, however, this script is not copied (or linked) to /etc/init.d/perfigo

CSCse89648

Yes

Upgrade re-enables serial login

3.5.11, all 3.6 branch and all 4.0 branch upgrades enable serial login, even if it was previously disabled via the HA UI.

Workaround: After upgrading to one of the affected versions, go in via the UI and disable serial login again.

On L2 Inband CAS with VLAN mapping configured, if a Macintosh is introduced on the untrusted network and if the Macintosh is sending out DHCP requests, it breaks packet forwarding on the CAS for all users in the VLAN.

Symptoms include devices on the untrusted VLAN not being able to reach any device on the trusted network. Users will not be able to get an IP address.

Note This issue affects 3.6.3 and 4.0.1 only.

CSCse91178

Yes

Old chain certificate not deleted when temporary certificate regenerated

The old chain certificate (.chain.crt) is not deleted when a new temporary certificated is generated. Steps to reproduce:

You will get SSL handshake errors. The old .chain.crt is still present. It will need to be deleted before SSL handshake can successfully occur.

Note This issue affects 3.6(3) 4.0(0)

CSCse91268

Yes

Post-3.5 to 3.6/4.0 upgrade NIC switch, HA issue with SSKEY

When NICs are switched as a result of upgrading a 3.5 system to 3.6/4.0, the HA JSPs have an issue with the SSKEY. When CAM connects to the newly upgraded CASs, it detects that CAS SSKEY has changed and resets it to the old one. However, the CAS HA pages detect that the SSKEY is not what it should be and then changes it back.

CSCse96696

Yes

Changes in Time zone setting should be preserved across CAS / CAM reboot

Resolved Caveats - Release 3.6.2.2

Table 18 List of Closed Caveats

DDTS Number

Software Release 3.6.2.2

Corrected

Caveat

CSCsd79205

Yes

DB Sync in HA CAMs can be broken by restarting standby

In a CAM Failover configuration, if the standby (inactive) CAM is restarted (service perfigo restart), then the DB synchronization is broken from that point on. This is because pg_sync_peer fails and the DB connections to the remote peer fail. Errors can be found in /tmp/pg_sync_log.

Resolved Caveats - Release 3.6.2.1

Table 19 List of Closed Caveats

DDTS Number

Software Release 3.6.2.1

Corrected

Caveat

CSCsd74376

Yes

CCA 3.6.x Reset Issues with HP servers with Broadcom NICs

In the past, CSCsd08348 has covered issues with Broadcom NICs, namely the BCM5702/BCM5703/BCM5704 which could be resolved by a firmware update from HP. Currently, we're seeing newer revisions of the Broadcom NIC which are not patched by this firmware update, including the BCM5721. NICs are currently resetting and not coming back up which leads to users being unable to SSH/ping/manage the CCA servers. This can be confirmed by checking /var/log/messages for output similar to that which is shown below:

In 3.6.1 and 3.6.0, removing the entry removes it from the CAM DB and UI but does not remove it from the CAS filters and you will see an error in /var/log/messages or on the console. That error message should disappear and the filter should no longer be applied after it has been removed.

CSCsd48226

Yes

Kernel Panic errors seen when using Enhanced OS Fingerprinting

CSCsd53056

Yes

Failed login attempts should be logged in CAM event log with the remote IP address, username and time of login attempt. The failed login event log entry would be quite similar to that of a failed login attempt [from untrusted side] on the CAS.

CSCsd65839

Yes

Upgrade script fails to transfer the snapshot to non-CCA machine from CAS

CSCsd70048

Yes

Edit Filter Subnets for CCA Server does not work

Resolved Caveats - Release 3.6.1.1

Table 21 List of Closed Caveats

DDTS Number

Software Release 3.6.1.1

Corrected

Caveat

CSCsd41503

Yes

3.6.x-to-3.6.1 upgrade breaks browser-based login

Upgrade from 3.6.x to 3.6.1 can disable web-login (browser-based login). This happens to be due to tightened permissions on one of the apache directories with 3.6.1

CSCsd42874

Yes

Upgrading to 3.6.1 from 3.6.0 does not upgrade the CCA agent properly

With 3.6.1 upgrade from 3.6.0, the CCA agent does not get upgraded properly. The previous agent may remain in the database while the database values change to the upgraded ones.

Resolved Caveats - Release 3.6(1)

Table 22 List of Closed Caveats

DDTS Number

Software Release 3.6(1)

Corrected

Caveat

CSCsc64719

Yes

CA AV configured to use a local http server, Agent cause CA to check FTP

The customer has the CA AV configured to only check a local HTTP server. When the agent attempts to update, the agent is causing the CA software to check a FTP server on the Internet instead of the customer custom configure local http server.

Symptom: CA Antivirus fails to update from locally configured http server. When the CCA Agent is starting the update connection.

Conditions: CA Antivirus is configured to download its update from a local http server instead of the FTP server on the Internet. CCA agent detects that the AV software isn't up to date. User select for the CCA agent to update the AV client.

Workaround: Use default setting for the CA AV or manually start the update from CA AV.

If CCA Agent updates are run on 3.5 prior to upgrade, upgrade from 3.5 to 3.6 is performed, then updates are run after upgrade to 3.6, some Cisco Updates may fail until the cache clears from the proxy servers along the HTTP request/response chain between the CAM and the Cisco Servers.

CSCsc80264

Yes

CCA agent crashes when run by user with restricted access

The admin user (logged as Administrator) installs the CCA Agent, logs off and the user with restricted access logs back on and launches CCA agent. The agent when run by a user with restricted access crashes on following actions:

1. Click "Popup Login Windows"2. Select / Deselect checkbox "Remember Me" on the CCA Agent Login Window3. Login for the very first time after install (admin never login after install)4. Change the "Discovery Host" under Agent Properties (only applicable to agent v3.6.0.0 and up)

CSCsc82506

Yes

Default user agreement page doesn't show correctly through proxy

CSCsc85316

Yes

Firefox has problems with the scan reports link

The "user info" box is checked for the successfully authenticated users. When a Firefox client clicks on the Scan Report link on the page that opens with the Logout button, a Javascript error message appears.

User can login using CCA Agent and is allowed on the network without accepting the "Network Usage Terms & Conditions".

Steps to reproduce:

1. Configure the CAM to check the software and run nessus scans on clients.2. Launch CCA Agent and perform the login.3. When the "Accept/Reject" Dialog box for network usage policy shows up, right click on CCA Agent icon in tray and click "Exit"4. Launch CCA Agent again and perform the login. The user is not shown the "Network Usage Terms & Conditions" and does by-passes the "Accept/Reject" these terms.

Technically, the user never accepted the "Network Usage Terms & Conditions" and was allowed to access the network.

CSCsc89288

Yes

Client machines who have SpyBot anti spyware installed will be logged out immediately showing Invalid DMReport in the logs. (CAS patch and Agent patch required; see Enhancements for Release 3.6.0.1).

CSCsc89894

Yes

Button "Verify and Install Uploaded Certificates" does not work

CSCsc91332

Yes

Spaces not stripped from username/password while creating new local user

Spaces [left and right] are not stripped from username / password while creating or modifying local users. However, the [left & right] spaces are stripped from the username/password entered into the CCA agent or in the web form.

CSCsc97952

Yes

H+BEDV AntiVir/XP 6.32.x def date/version couldn't be detected

CSCsd01069

Yes

JSP execution should only be allowed in selective web directories

CSCsd03329

Yes

Import certificate does not work on CAM running in standby mode

CSCsd03955

Yes

Header file perfigo_header.jsp should display version of CCA Server

Header file perfigo_header.jsp should display the CCA version information of the CAS. Currently, the version information is being displayed only on CAM running in Standalone or HA-Primary mode.

CAM running in HA-Standby mode should also display the version information in top header using admin_header.jsp

CSCsd05095

Yes

Button "Update Time Zone" does not work on CAM

The CAM does not return any HTTP response and does not log any entry in the tomcat access_log file.

Note You do not have to apply the workaround below if upgrading to 3.6(1) or above.

Servers with Broadcom NIC controllers, upon upgrading to 3.6.0 or installing 3.6.0, will demonstrate issues with networks where VLAN tags are of importance. Symptoms can include failure of DHCP (because the VLAN tags are lost) or failure to route traffic appropriately. This behavior is not consistent and is due to a feature known as IPMI on the Broadcom NICs.

Workaround 2: If the 3.5.11 Agent has already been upgraded to 3.6.0.0/3.6.0.1, you must reinstall the 3.5.11 Agent manually on the client. Then , either uninstall the 3.5.11 Agent from Add/Remove programs to fully clean the machine of the old 3.5 files, and have the client Download the new 3.6.1.0 Agent. Or, leave the 3.5.11 Agent on the client, and have the client auto-upgrade to the 3.6.1.0 Agent .

CSCsd35643

Yes

Incorrect message when using the Update button in Agent

In 3.6.0.0 and 3.6.0,1, if vendor name is configured as "ANY" in the AV Definition type of requirement, for several AV products, the agent will report incorrect message saying that no product could be found when clicking on the "Update" button.

Client machines which have SpyBot anti spyware installed will be logged out immediately showing Invalid DMReport in the logs. (CAS patch and Agent patch required; see Enhancements for Release 3.6.0.1).

Known Issues with Switches

Known Issues with Broadcom NIC 5702/5703/5704 Chipsets

Customers running CCA release 3.6(2), 3.6(1), or 3.6(0) on servers with 57xx Broadcom NIC cards may be impacted by caveat CSCsd74376. Server models with Broadcom 5702/5703/5704 NIC cards may include: Dell PowerEdge 850, CCA-3140-H1, HP ProLiant DL140 G2/ DL360/DL380. This issue involves the repeated resetting of the Broadcom NIC cards. The NIC cards do not recover from some of the resets causing the machine to become unreachable via the network. You will see messages such as the following in /var/log/messages:

Mar 21 11:43:05 cas2b kernel: tg3: eth1: Flow control is off for TX and off for RX.

The fundamental cause of this problem is a firmware bug in the Broadcom chipsets used in HP servers. Versions 3.6(2), 3.6(1), 3.6(0) of the CCA software are impacted by this bug.

Solution

Note If upgrading from 3.5(x) to 3.6(3) or above and your system uses the 5702/5703/5704 Broadcom NIC chipsets, you will still need to perform step 2a. However, none of the other steps are necessary. Note that you can apply the firmware upgrade from HP before or after upgrading to CCA 3.6(3)+.

1. Verify the type of NIC controller being used on your CAM/CAS servers by looking at the output of the lspci -v command.

2. If your machine has the 5702/5703/5704 Broadcom chipset, you need to perform two steps:

Known Issue with Windows 98/ME/2000 and Windows Script 5.6

Windows Script 5.6 is required for proper functioning of the Cisco Clean Access Agent in release 3.6(x). Most Windows 2000 and older operating systems come with Windows Script 5.1 components. Microsoft automatically installs the new 5.6 component on performing Windows updates. Windows installer components 2.0 and 3.0 also require Windows Script 5.6. However, PC machines with a fresh install of Windows 98, ME, or 2000 that have never performed Windows updates will not have the Windows Script 5.6 component. Cisco Clean Access cannot redistribute this component as it is not provided by Microsoft as a merge module/redistributable.

In this case, administrators will have to access the MSDN website to get this component and upgrade to Windows Script 5.6. For convenience, links to the component from MSDN are listed below:

Tip If these links change on MSDN, try a search for the file names provided above or search for the phrase "Windows Script 5.6."

New Installation of Release 3.6(x)

If you purchased and are performing a first installation of Cisco Clean Access, use the following steps.

For New Installation:

1. If you have a previous version of Cisco Clean Access, back up your current Clean Access Manager installation and save the snapshot on your local computer, as described in General Preparation for Upgrade.

4. After software installation, access the Clean Access Manager web admin console by opening a web browser and typing the IP address of the CAM as the URL. The Clean Access Manager License form will appear the first time you do this to prompt you to install your FlexLM license files.

General Preparation for Upgrade

You must upgrade your Clean Access Manager and all your Clean Access Servers concurrently. The Clean Access architecture is not designed for heterogeneous support (i.e., some Clean Access Servers running 3.6 software and some running 3.5 software).

•Upgrade Downtime Window

Depending on the number of Clean Access Servers you have, the upgrade process should be scheduled as downtime. For minor release upgrades (e.g. 3.6.3 to 3.6.4), our estimates suggest that it takes approximately 15 minutes for the Clean Access Manager upgrade and 10 minutes for each Clean Access Server upgrade. Use this approximation to estimate your downtime window.

Note For the 3.5 (x) to 3.6(x) migration process, allow considerably more time particularly for high-availability (failover) pairs of machines.

•Clean Access Server Effect During Clean Access Manager Downtime

While the Clean Access Manager upgrade is being conducted, the Clean Access Server (which has not yet been upgraded, and which loses connectivity to the Clean Access Manager during Clean Access Manager restart or reboot) continues to pass authenticated user traffic.

Caution New users will not be able to logon or be authenticated until the Clean Access Server re-establishes connectivity with the Clean Access Manager.

•Database Backup (Before and After Upgrade)

For safekeeping, it is recommended to back up your current Clean Access Manager installation (using Administration > Backup) both before and after the upgrade and to save the snapshot on your local computer. Make sure to download the snapshots to your desktop/laptop for safekeeping. Backing up prior to upgrade enables you to revert to your previous 3.5(x) database should you encounter problems during upgrade. Backing up immediately following upgrade preserves your upgraded tables and provides a baseline of your 3.6(x) database. After the migration is completed, go to the database backup page (Administration > Backup) in the CAM web console. Download and then delete all earlier snapshots from there as they are no longer compatible. See also Create CAM DB Backup Snapshot.

Warning You cannot restore a 3.5 or earlier database to a 3.6 Clean Access Manager.

•Software Downgrade

Once you have upgraded your software to 3.6, if you wish to revert to 3.5, you will need to reinstall 3.5 from the CD and recover your configuration based on the backup you performed prior to upgrading to 3.6.

OOB Switch Trunk Ports and 3.6(x) Upgrade

Because Cisco Clean Access can control switch trunk ports for OOB (starting from release 3.6(1) and above), please ensure the uplink ports for controlled switches are configured as "uncontrolled" ports before or after upgrade. This can be done in one of two ways:

Migrating/Upgrading from 3.5(7)/3.5(8)/3.5(9)/3.5(10)/3.5(11) to 3.6(x)

Notes on Migration

Cisco Clean Access recommends performing new installation of the latest 3.6(x) release if you have an immediate need for a new installation or new deployment of Cisco Clean Access NAC Appliance. (See New Installation of Release 3.6(x) for details.)

If planning to migrate from release 3.5(x) to release 3.6(x), Cisco Clean Access provides a migration procedure from release 3.5(7)/3.5(8)/3.5(9)/3.5(10)/3.5(11) only. Before upgrading to 3.6(x) ED, please ensure you understand the following:

•The underlying kernel is changed with release 3.6(x) and you can only perform migration to the latest 3.6(x) release from release 3.5(7)/3.5(8)/3.5(9)/3.5(10)/3.5(11).

•Read and review the installation or upgrade/migration procedure completely before starting. The 3.6(x) upgrade/migration process differs considerably from minor release upgrades and requires physical CD installation, in addition to an upgrade file.

•If you have existing users, test the ED release in your lab environment first and complete a pilot phase prior to production deployment.

Note Your production license will reference the MAC address of your production CAM. When testing on a different box before upgrading your production Clean Access environment, you will need to get a trial license for your test servers. For details, see "How to Obtain Evaluation Licenses" in Cisco NAC Appliance Service Contract/Licensing Support.

•Do not upgrade to release 3.6(x) if you are currently using Monitoring > SNMP traps from the Clean Access Manager.

•OOB Deployments: Because Cisco Clean Access can control switch trunk ports for OOB (starting from release 3.6(1) and above), please ensure the uplink ports for controlled switches are configured as "uncontrolled" ports either before or after upgrade. See OOB Switch Trunk Ports and 3.6(x) Upgrade for details.

•DHCP configuration is preserved for each CAS in the configuration during upgrade.

•When migrating/upgrading between major versions, such as from 3.5(x) to 3.6(x), Clean Access Agent Setup/Patch installation files are automatically upgraded with the CAM for compatibility with the new release.

Summary of Migration Procedure

The Cisco Clean Access 3.6 upgrade differs considerably from previous upgrades. The Cisco Clean Access 3.6 upgrade will create a complete snapshot of the configuration of your existing deployment, including failover information. This snapshot will be automatically copied to a remote server. The remote server must not be a Cisco Clean Access Server or Manager.

After the upgrade is run, you will be required to install from the provided 3.6 CDs. After this install, the snapshot created here must be copied back to the Clean Access Manager, un-tarred and the RESTORE.pl script run to restore your systems' previous configuration information.

The following is a general summary of the upgrade/migration steps:

1. For safekeeping, BACKUP your 3.5(x) Clean Access Manager using Administration > Backup and save the snapshot on a local computer (as described in Create CAM DB Backup Snapshot).

2. From your existing CAM, run the upgrade script to generate a backup tarball of your entire system and send the file off the CAM (by SCP (default) or FTP) to another machine. For users whose networks do not have convenient SSH servers available for SCP, the configuration snapshot can be transferred automatically via FTP to any Windows (IIS) FTP server.

Warning The 3.6(x) upgrade script must only be run immediately prior to the CD re-install. The script assumes that the hard drive will be destroyed shortly after the upgrade script is run.

Note For users whose networks do not have convenient SSH servers available for SCP, the configuration snapshot can be transferred automatically via FTP to any Windows (IIS) FTP server.

3. You must then perform CD-ROM install (.iso files) of release 3.6(x) on all CAM and CAS boxes.

4. After installation is complete on all boxes, copy the system backup tarball back to the CAM.

5. Untar the system backup file and execute the restore command.

6. You must then reboot each CAM and CAS machine in your system. For CAM or CAS failover (high-availability) configurations, the Primary machine must be rebooted first, then the Standby machine.

7. After reboot, your Cisco Clean Access configuration will be propagated to all your CASes and Standby machines.

8. After performing 3.5(x)-to-3.6(x) migration, the very first time you log into the 3.6(x) CAM web console, the CAM will attempt an automated Cisco Update to populate the AV/AS tables in the database. A popup dialog with following message will appear:

"The system detects that it has just been upgraded to a newer version. It is now
trying to connect to the Cisco server to get the checks/rules and AV/AS support list
update. It might take a few minutes."

If the automated update fails (for example, due to incorrect proxy settings on your CAM), you will be prompted to perform Cisco Updates manually from Device Management > Clean Access > Clean Access Agent > Updates. A Cisco Update must be performed (whether automated or manual) before any new AV/AS rules can be configured.

a. Copy cca_upgrade_3.5.x-to-3.6.4.tar.gz to the /store directory on the Clean Access Manager.

If using PSCP:

a. Open a command prompt on your Windows computer.

b. Cd to the path where your PSCP resides (e.g, C:\Documents and Settings\desktop).

c. Enter the following command to copy the file to the Clean Access Manager:

pscp cca_upgrade_3.5.x-to-3.6.4.tar.gz root@ipaddress_manager:/store

Run the Upgrade File on the CAM and Perform System Backup

Note Before running the upgrade, please document the eth0 IP addresses of your CAM and CAS (including Primary and Standby eth0 IP addresses for HA systems). These must be given during the system backup procedure, and are needed for the CD install and to SCP the backup file back to the system after the CD upgrade.

Warning The 3.6(x) upgrade script must only be run immediately prior to the CD re-install. The script assumes that the hard drive will be destroyed shortly after the upgrade script is run.

Step 3 Connect to the Clean Access Manager to upgrade using Putty or SSH.

Please choose a directory on the destination machine that the configuration snapshot will
be placed in. A small test file will be copied into that directory to verify connectivity.

Please enter the destination directory now: /store

Step 10 Type the username account and password for the destination machine:

Please enter the username to be used for the transfer: root

What is the password for account root at 10.201.2.40?

Step 11 At the following prompt, type y or press Enter to start the system backup:

Backup entire system? [y] y

Note Typically, the entire system should be backed up. If you enter n (no) at this prompt, only the CAM is backed up and it is expected that you will run the upgrade/migration script on each of your individual CAS systems to back up each CAS system individually.

Step 12 This starts the backup of the first Clean Access Server. At the next prompt, type the root user password for the CAS and press Enter to continue:

Step 13 You will see a status message corresponding to the number of machines in your deployment. For failover (HA) pairs, the script will locate the Service IP first, followed by the real IP address of each machine in the failover pair. In the example deployment below, two failover CAS machines and two failover CAM machines are backed up. When finished, the Backup complete prompt indicates the system backup file (i.e. cam-<cam_ip_address>-backup.tar.gz) has been successfully created and transferred to the external machine.

Note Cisco recommends performing automatic transfer of the backup configuration file. If you do not select automatic transfer at step 6, the following warning message will appear:

#######################

# WARNING #

#######################

File "cam-<cam_ip_address>-backup.tar.gz" MUST be transferred safely off this machine
before the 3.6.x install is run.

Failure to do this will result in complete loss of configuration information for this
deployment.

Perform CD Installation

Caution The Clean Access Manager and Server software is not intended to coexist with other software or data on the target machine. The installation process formats and partitions the target hard drive, destroying any data or software on the drive. Before starting the installation, make sure that the target computer does not contain any data or applications that you need to keep.

Step 14 Install 3.6(x) on each CAS and CAM machine. Connect to each server machine directly or via serial connection using terminal emulation software (such as HyperTerminal or SecureCRT) and insert the 3.6(x) product CD in the CD-ROM drive. Follow the auto-run procedures.

Step 15 At the first screen prompt, press Enter if connected directly to the server machine, or type serial and press Enter if connected serially to the machine:

Cisco Clean Access Installer (C) 2006 Cisco Systems, Inc.

Welcome to the Cisco Clean Access Installer!

- To install a Cisco Clean Access device, press the <ENTER> key.

- To install a Cisco Clean Access device over a serial console,

enter serial at the boot prompt and press the <ENTER> key.

boot:

Caution With release 3.6(x), only
one CD is used for installation of the Clean Access Server
or Clean Access Manager software. The installation script does
NOT automatically detect or select CAS or CAM installation for the target server. You
MUST select the appropriate type,
either CAS
or CAM, for the target machine on which you are performing installation. Do NOT select either both packages or no packages.

Step 16 Release 3.6(x) presents an additional screen prompt for selection of CCA Manager software installation or CCA Server software installation. At the following screen prompt, you must select EITHER CCA Manager or CCA Server and select OK to begin the installation. Use the space bar and the "+" and "-" keys to select the appropriate type. Use the Tab key to tab to the OK field, and press the Enter key when done to start the installation of the package type selected.

Welcome to Cisco Clean Access

++ Package Group Selection ++

| |

| Total install size: 606M |

| |

| [ ] CCA Manager # |

| [ ] CCA Server # |

| # |

| # |

| # |

| # |

| # |

| # |

| |

| +----+ +------+ |

| | OK | | Back | |

| +----+ +------+ |

| |

| |

+---------------------------+

<Space>,<+>,<-> selection | <F2> Group Details | <F12> next screen

Note Do not select the "Back" option from the Package Group Selection screen (known issue).

Step 17 After the CCA Manager or CCA Server type is chosen and before the prompts appear to configure the IP address of the server, a warning message may be displayed:

Initial RAM disk image

Turning off some packages...

Initializing JDK links...

CCA has detected a change in your network hardware configuration. Please switch the
network cables between eth0 and eth1

Press [ENTER] to continue...

This message is displayed when the new kernel has detected that NIC cards have been re-ordered. If this occurs, the Ethernet cables for eth0 and eth1 must be swapped. After swapping cables, press the Enter key and proceed with the installation as usual. NIC card re-ordering only occurs when upgrading from previous 3.5 installations; it will only occur only once and only during this stage of the installation.

Step 19 When CD installation on all target server machines is complete, continue to the next step.

Copy System Backup File Back to CAM

Step 20 After CD installation is completed on all machines, copy the system backup file to your Primary Clean Access Manager using WinSCP, SSH File Transfer or PSCP, as described below. The name of the system backup file will reflect the name and IP address of your Clean Access Manager and will be in the form cam-<cam_ip_address>-backup.tar.gz.

If using WinSCP or SSH File Transfer (replace <cam_ip_address> with the actual IP of your CAM)

Reboot All Machines

Step 27 After restore is complete, you MUST reboot all server machines to complete the upgrade and restoration of the backup configuration to all machines. For failover (HA) deployments, reboot the Primary CAM or CAS first, then reboot the Standby CAS.

[root@cam1 store]# reboot

Step 28 This completes the 3.6(x) upgrade/migration.

Note For OOB Deployments: Because Cisco Clean Access can control switch trunk ports for OOB (starting from release 3.6(1) and above), please ensure the uplink ports for controlled switches are configured as "uncontrolled" ports either before or after upgrade. See OOB Switch Trunk Ports and 3.6(x) Upgrade for details.

This section describes how to upgrade an existing standalone 3.6(x) system to a new minor release (e.g. 3.6(4)) or patch release (e.g. 3.6.4.4). In most cases, web upgrade is recommended for minor releases.

Note When upgrading from 3.6(x) to 3.6.4.4, you can perform webconsole upgrade of standalone 3.6(x) CAM/CAS machines if the following conditions are met:

Note For OOB Deployments: Because Cisco Clean Access can control switch trunk ports for OOB (starting from release 3.6(1) and above), please ensure the uplink ports for controlled switches are configured as "uncontrolled" ports either before or after upgrade. See OOB Switch Trunk Ports and 3.6(x) Upgrade for details.

Create CAM DB Backup Snapshot

Perform a full backup of your CAM database by creating a backup snapshot both before and after the upgrade. Make sure to download the snapshots to your desktop/laptop for safekeeping. Backing up prior to upgrade enables you to revert to your previous database should you encounter problems during upgrade. Backing up immediately following upgrade preserves your upgraded tables and provides a baseline of your 3.6 database.

Step 2 Type a name for the snapshot in the Database Snapshot Tag Name field.

Step 3 The field automatically populates with a name incorporating the current time and date (such as 07_20_06-14:43_snapshot). To facilitate backup file identification, it is recommended to insert the release version in the snapshot, for example, 07_20_06-14:43_3.6.3_snapshot. You can also either accept the default name or type another.

Step 4 Click Create Snapshot. The CAM generates a snapshot file, which is added to the snapshot list.

Note The file still physically resides on the CAM machine, and can remain there for archiving purposes. However, to back up a configuration for use in case of system failure, the snapshot should be downloaded to another computer.

Step 5 To download the snapshot to another computer, click the tag name of the snapshot to be downloaded.

Step 6 In the file download dialog, select the save file to disk option to save the file to your local computer.

Download the Upgrade File

For Cisco Clean Access 3.6 minor release upgrades, a single file, cca_upgrade_3.6.x-to-3.6.y.tar.gz, is downloaded to each Clean Access Manager (CAM) and Clean Access Server (CAS) installation machine. The upgrade script automatically determines whether the machine is a CAM or CAS.For Cisco Clean Access patch upgrades, the upgrade file can be for the CAM only, CAS only, or for both CAM/CAS, depending on the patch upgrade required.

Step 2 On the Cisco Secure Software page for Cisco Clean Access, click the link for the appropriate release. Upgrade files use the following format (replace the .x and .y in the file name with the version number to which you are upgrading, for example, cca_upgrade_3.6.x-to-3.6.4.4.tar.gz):

–cca_upgrade_3.6.x-to-3.6.y.tar.gz (CAM/CAS release upgrade file)

–cca-3.6.x-to-3.6.x.y-upgrade.tar.gz (CAM/CAS patch upgrade file)

–cam-3.6.x-to-3.6.x.y-upgrade.tar.gz (CAM-only patch upgrade file)

–cas-3.6.x-to-3.6.x.y-upgrade.tar.gz (CAS-only patch upgrade file)

Step 3 Download the file to the local computer from which you are accessing the CAM web console.

Upgrade via Web Console

Note In most cases, web upgrade is recommended for 3.6(x) minor release upgrades.

Administrators have the option of performing software upgrade on the CAS and CAM via web console:

With web upgrade, the CAM and CAS automatically perform all the upgrade tasks that are done manually for SSH upgrade (for example, untar file, cd to /store, run upgrade script). The CAM also automatically creates snapshots before and after upgrade. When upgrading via web console only, the machine automatically reboots after the upgrade completes. The steps for web upgrade are as follows:

Upgrade CAS from CAS Management Pages

Once release 3.6(x) is installed on the CAS, minor release web upgrades to the CAS can be performed via the CAS management pages as described below, or if preferred, using the instructions for Upgrade CAS from CAS Direct Access Web Console.

b. Click the Manage button for the CAS to upgrade. The CAS management pages appear.

c. Click the Misc tab. The Update form appears by default.

Step 4 Click Browse to locate the upgrade file you just downloaded from Cisco Downloads (replace the .x and .y in the filename with the upgrade version):

cca_upgrade_3.6.x-to-3.6.y.tar.gz (CAM/CAS release upgrade file), or

cca-3.6.x-to-3.6.x.y-upgrade.tar.gz (CAM/CAS patch upgrade file), or

cas-3.6.x-to-3.6.x.y-upgrade.tar.gz (CAS-only patch upgrade file)

Step 5 Click the Upload button. This loads the upgrade file into the CAM's upgrade directory for this CAS and all CASes in the List of Servers. (Note that at this stage the upgrade file is not yet physically on the CAS.) The list of upgrade files on the page will display the newly-uploaded upgrade file with its date and time of upload, file name, and notes (if applicable).

Step 6 Click the Apply icon for the upgrade file, and click OK in the confirmation dialog that appears. This will start the CAS upgrade. The CAS will show a status of "Not connected" in the List of Servers during the upgrade. After the upgrade is complete, the CAS automatically reboots.

Note For 3.6.0.1 patch upgrade via web console only, the machine (CAS or CAM) will NOT automatically reboot. The patch upgrade should complete in 2-5 minutes.

Step 7 Wait 2-5 minutes for the upgrade and reboot to complete.The CAS management pages will become unavailable during the reboot, and the CAS will show a Status of "Disconnected" in the List of Servers.

Step 8 Access the CAS management pages again and click the Misc tab. The new software version and date will be listed in the Current Version field. (See also Determining the Software Version)

Note The format of the Upgrade Details log is: state before upgrade, upgrade process details, state after upgrade. It is normal for the "state before upgrade" to contain several warning/error messages (e.g. "INCORRECT"). The "state after upgrade" should be free of any warning or error messages.

Upgrade CAS from CAS Direct Access Web Console

You can upgrade the CAS from the CAS direct access web console using the following instructions. To upgrade the CASes from the CAM web console, see Upgrade CAS from CAS Management Pages.

Step 5 Click Browse to locate the upgrade file you just downloaded (replace the .x and .y in the file name with the upgrade version):

cca_upgrade_3.6.x-to-3.6.y.tar.gz (CAM/CAS release upgrade file), or

cca-3.6.x-to-3.6.x.y-upgrade.tar.gz (CAM/CAS patch upgrade file), or

cas-3.6.x-to-3.6.x.y-upgrade.tar.gz (CAS-only patch upgrade file)

Step 6 Click the Upload button. This loads the upgrade file to the CAS and displays it in the upgrade file list with date and time of upload, file name, and notes (if applicable).

Step 7 Click the Apply icon for the upgrade file, and click OK in the confirmation dialog that appears. This will start the CAS upgrade. The CAS will show a status of "Not connected" in the List of Servers during the upgrade. After the upgrade is complete, the CAS will automatically reboot.

Note For 3.6.0.1 patch upgrade via web console only, the machine (CAS or CAM) will NOT automatically reboot. The patch upgrade should complete in 2-5 minutes.

Step 8 Wait 2-5 minutes for the upgrade and reboot to complete.The CAS web console will become unavailable during the reboot.

Step 9 Access the CAS web console again and go to Administration > Software Update. The new software version and date will be listed in the Current Version field. (See also Determining the Software Version)

Note The format of the Upgrade Details log is: state before upgrade, upgrade process details, state after upgrade. It is normal for the "state before upgrade" to contain several warning/error messages (e.g. "INCORRECT"). The "state after upgrade" should be free of any warning or error messages.

Step 4 Click Browse to locate the upgrade file you just downloaded from Cisco Downloads (replace the .x and .y in the file name with the upgrade version):

cca_upgrade_3.6.x-to-3.6.y.tar.gz (CAM/CAS release upgrade file)

cca-3.6.x-to-3.6.x.y-upgrade.tar.gz (CAM/CAS patch upgrade file), or

cam_upgrade-3.6.x.y.tar.gz (CAM-only patch upgrade file)

Step 5 Click the Upload button. This loads the upgrade file to the CAM and displays it in the upgrade file list with date and time of upload, file name, and notes (if applicable).

Step 6 Once the upgrade file appears in the list, click the checkbox under "Upgrade Agent?" to ensure the Setup and Patch installation files for the Clean Access Agent are upgraded to the latest release, (e.g. Agent 3.6.5.0 for CCA release 3.6.4.4).

Step 7 Click the Apply button for the upgrade file, and click OK in the confirmation dialog that appears. This will start the CAM upgrade in 2 minutes. After upgrade completes, the CAM automatically reboots.

Note For 3.6.0.1 patch upgrade via web console only, the machine (CAS or CAM) will NOT automatically reboot. The patch upgrade should complete in 2-5 minutes.

Step 8 Wait 2-5 minutes for the upgrade and reboot to complete.The CAM web console will become unavailable during the reboot.

Step 9 Access the CAM web console again. You should now see the new version, "Cisco Clean Access Manager Version 3.6.x", at the top of the web console. (See also Determining the Software Version.)

Note The format of the Upgrade Details log is: state before upgrade, upgrade process details, state after upgrade. It is normal for the "state before upgrade" to contain several warning/error messages (e.g. "INCORRECT"). The "state after upgrade" should be free of any warning or error messages.

Note For OOB Deployments: Because Cisco Clean Access can control switch trunk ports for OOB (starting from release 3.6(1) and above), please ensure the uplink ports for controlled switches are configured as "uncontrolled" ports either before or after upgrade. See OOB Switch Trunk Ports and 3.6(x) Upgrade for details.

In most cases, web upgrade is recommended for 3.6(x) minor release upgrades of standalone systems (as described Upgrade via Web Console). However, you can always perform SSH upgrade if necessary or if preferred.

Note The default username/password for SSH/console login is root/cisco123.

A single file, cca_upgrade_3.6.x-to-3.6.y.tar.gz, is downloaded to each installation machine. The upgrade script automatically determines whether the machine is a Clean Access Manager (CAM) or Clean Access Server (CAS), and executes if the current system is running release 3.6(0) or above.For Cisco Clean Access patch upgrades, the upgrade file can be for the CAM only, CAS only, or for both CAM/CAS, depending on the patch upgrade required.

Download the Upgrade File and Copy to CAM/CAS

Step 3 Copy the upgrade file to the Clean Access Manager and Clean Access Server(s) respectively using WinSCP, SSH File Transfer or PSCP as described below (replace the .x and .y in the file name with the upgrade version number)

If using WinSCP or SSH File Transfer (replace .y with upgrade version number):

a. Copy cca_upgrade_3.6.x-to-3.6.y.tar.gz to the /store directory on the Clean Access Manager.

b. Copy cca_upgrade_3.6.x-to-3.6.y.tar.gz to the /store directory on each Clean Access Server.

If using PSCP (replace .y with upgrade version number):

a. Open a command prompt on your Windows computer.

b. Cd to the path where your PSCP resides (e.g, C:\Documents and Settings\desktop).

c. Enter the following command to copy the file (replace .x with minor upgrade version number) to the CAM:

pscp cca_upgrade_3.6.x-to-3.6.y.tar.gz root@ipaddress_manager:/store

d. Enter the following command to copy the file (replace .y with upgrade version number) to the CAS (copy to each CAS):

pscp cca_upgrade_3.6.x-to-3.6.y.tar.gz root@ipaddress_server:/store

Perform SSH Upgrade on the CAM

Step 4 Connect to the Clean Access Manager to upgrade using Putty or SSH.

a. SSH to the Clean Access Manager.

b. Login as the root user with root password (default password is cisco123)

Note When upgrading the CAM from a 3.6(x) release to 3.6(3) and above, the script provides an additional prompt to choose whether or not to upgrade the Clean Access Agent files inside the CAM. Choosing Yes upgrades the Agent Setup Installation and Patch Installation files to the latest Agent version bundled with the release (for example, Agent 3.6.5.0 for release 3.6.4.4). Choosing No leaves the original Agent Setup and Patch Installation files that were on your CAM prior to upgrade.

5. At the following prompt enter Y to upgrade the Agent on your CAM to the version bundled with the CCA release, or enter N to keep the version of the Agent currently on your CAM.

Upgrade CCA Agent version to 3.6.x.x? (y/n)? [y]

e. When the upgrade is complete, reboot the machine:

reboot

Perform SSH Upgrade on the CAS

Step 5 Connect to the Clean Access Server to upgrade using Putty or SSH:

Note For OOB Deployments: Because Cisco Clean Access can control switch trunk ports for OOB (starting from release 3.6(1) and above), please ensure the uplink ports for controlled switches are configured as "uncontrolled" ports either before or after upgrade. See OOB Switch Trunk Ports and 3.6(x) Upgrade for details.

For failover CAS pairs, Device Management > CCA Servers > List of Servers in the CAM web console displays the Service IP of the CAS pair first, followed by the IP address of the active CAS in brackets. When the secondary CAS takes over, its IP address will be listed in the brackets as the active server.

Note The CAS configured in HA-Primary-Mode may not be the currently Active CAS.

Instructions for Upgrading High Availability CAM and CAS

The following steps show the generally recommended way to upgrade an existing high-availability (failover) pair of Clean Access Managers or Clean Access Servers.

Warning Make sure to follow this procedure to prevent the database from getting out of sync.

Step 3 Determine which box is active, and which is in standby mode, and that both are operating normally, as follows:

a. Untar the upgrade package in the /store directory of each machine (replace the .x and .y in the file name with the upgrade version number):

tar xzvf cca_upgrade_3.6.x-to-3.6.y.tar.gz

b. CD into the created "cca_upgrade_3.6.x-to-3.6.y" directory on each machine.

c. Run the following command on each machine:

./fostate.sh

The results should be either "My node is active, peer node is standby" or "My node is standby, peer node is active". No nodes should be dead. This should be done on both boxes, and the results should be that one box considers itself active and the other box considers itself in standby mode. Future references in these instructions that specify "active" or "standby" refer to the results of this test as performed at this time.

Note The fostate.sh command is part of the upgrade script (starting from 3.5(3)+). You can always determine which box is active or standby by accessing the web console as described in Accessing Web Consoles for High Availability.

Step 4 Bring the box acting as the standby down by entering the following command via the SSH terminal:

shutdown -h now

Step 5 Wait until the standby box is completely shut down.

Step 6 CD into the created "cca_upgrade_3.6.x-to-3.6.y" directory on the active box.

cd cca_upgrade_3.6.x-to-3.6.y

Step 7 Run the following command on the active box:

./fostate.sh

Make sure this returns "My node is active, peer node is dead" before continuing.

Step 8 Perform the upgrade on the active box, as follows:

a. Make sure the upgrade package is untarred in the /store directory on the active box.

b. From the untarred upgrade directory created on the active box (for example "cca_upgrade_3.6.x-to-3.6.y"), run the upgrade script on the active box:

./UPGRADE.sh

Note When upgrading the CAM from a 3.6(x) release to 3.6(3) and above, the script provides an additional prompt to choose whether or not to upgrade the Clean Access Agent files inside the CAM. Choosing Yes upgrades the Agent Setup Installation and Patch Installation files to the latest Agent version bundled with the release (for example, Agent 3.6.5.0 for release 3.6.4.4). Choosing No leaves the original Agent Setup and Patch Installation files that were on your CAM prior to upgrade.

Caution For HA-CAM upgrade, make sure to use the
same upgrade option for the CCA Agent on
both the HA-Primary and HA-Standby CAM.

7. At the following prompt enter Y to upgrade the Agent on your active CAM to the version bundled with the CCA release, or enter N to keep the current version of the Agent.

Upgrade CCA Agent version to 3.6.x.x? (y/n)? [y]

Step 9 After the upgrade is completed, shut down the active box by entering the following command via the SSH terminal:

shutdown -h now

Step 10 Wait until the active box is done shutting down.

Step 11 Boot up the standby box by powering it on.

Step 12 Perform the upgrade to the standby box:

a. Make sure the upgrade package is untarred in the /store directory on the standby box.

b. CD into the untarred upgrade directory created on the standby box:

cd cca_upgrade_3.6.x-to-3.6.y

c. Run the upgrade script on the standby box:

./UPGRADE.sh

Caution For HA-CAM upgrade from a 3.6(x) release to 3.6(3) and above, make sure to use the
same upgrade option for the CCA Agent on
both the HA-Primary and HA-Standby CAM.

8. At the following prompt enter Y to upgrade the Agent on the standby CAM to the version bundled with the CCA release, or enter N to keep the version of the Agent.

Upgrade CCA Agent version to 3.6.x.x? (y/n)? [y]

Step 13 Shut down the standby box by entering the following command via the SSH terminal:

shutdown -h now

Step 14 Power up the active box. Wait until it is running normally and connection to the web console is possible

Step 15 Power up the standby box.

Note There will be approximately 2-5 minutes of downtime while the servers are rebooting.

Note For OOB Deployments: Because Cisco Clean Access can control switch trunk ports for OOB (starting from release 3.6(1) and above), please ensure the uplink ports for controlled switches are configured as "uncontrolled" ports either before or after upgrade. See OOB Switch Trunk Ports and 3.6(x) Upgrade for details.

A login page must be added and present in the system in order for both web login and Clean Access Agent users to authenticate. If a default login page is not present, Clean Access Agent users will see the following error dialog when attempting login:

2. Check the time set on the CAM and CAS. The time set on the CAM and the CAS must be 5 minutes apart or less:(under Administration > CCA Manager > System Time, and Device Management > CCA Servers > Manage [CAS_IP] > Misc > Time

To resolve these issues:

1. Set the time on the CAM and CAS correctly first.

2. Regenerate the certificate on the CAS using the correct IP address or domain.

3. Reboot the CAS.

4. Regenerate the certificate on the CAM using the correct IP address or domain.

5. Reboot the CAM.

Creating CAM DB Snapshot

Downloading CAM/CAS Support Logs

The Support Logs web console pages for the CAM and CAS allow administrators to combine a variety of system logs (such as information on open files, open handles, and packages) into one tarball that can be sent to TAC to be included in the support case. Administrators should Download the CAM and CAS support logs from the CAM and CAS web consoles respectively and include them with their customer support request, as follows:

Recovering Root Password for CAM/CAS (Release 4.0.x/3.6.x)

Use the following procedure to recover the root password for a 4.0/3.6 CAM or CAS machine. The following password recovery instructions assume that you are connected to the CAM/CAS via a keyboard and monitor (i.e. console or KVM console, NOT a serial console)

1. Power up the machine.

2. When you see the boot loader screen with the "Press any key to enter the menu..."message, press any key.

3. You will be at the GRUB menu with one item in the list "Cisco Clean Access (2.6.11-perfigo)." Press "e" to edit.

5. Scroll to the second entry (line starting with "kernel...") and press "e" to edit the line.

6. Delete the line "console=ttyS0,9600n8", add the word "single" to the end of the line, then press "Enter". The line should appear as follows:

kernel /vmlinuz-2.6.11-perfigo ro root=LABEL=/ console=tty0 single

7. Next, press "b" to boot the machine in single user mode. You should be presented with a root shell prompt after boot-up (note that you will not be prompted for password).

8. At the prompt, type "passwd", press "Enter" and follow the instructions.

9. After the password is changed, enter "reboot" to reboot the box.

Recovering Root Password for CAM/CAS (Release 3.5.x or Below)

To recover the root password for CAM/CAS on release 3.5(x), you can use the Linux procedure to boot to single user mode and change the root password:

1. Connect to the CAM/CAS machine via console.

2. Power cycle the machine.

3. After power-cycling, the GUI mode displays. Press Ctrl-x to switch to text mode. This displays a "boot:" prompt.

4. At the prompt type: linux single. This boots the machine into single user mode.

5. Type: passwd.

6. Change the password.

7. Reboot the machine using the reboot command.

Agent AV/AS Rule Troubleshooting

To view administrator reports for the Clean Access Agent go to Device Management > Clean Access > Clean Access Agent > Reports. To view information from the client right-click the Agent taskbar icon and select About for the Agent version and Properties for AV/AS version.

When troubleshooting AV/AS Rules, please provide the following information:

1. Version of CAS, CAM, and Clean Access Agent.

2. Client OS version (e.g. Windows XP SP2)

3. Name and version of AV/AS vendor product.

4. What is failing—AV/AS installation check or AV/AS update checks? What is the error message?

5. What is the current value of the AV/AS def date/version on the failing client machine?

6. What is the corresponding value of the AV/AS def date/version being checked for on the CAM? (see Device Management > Clean Access > Clean Access Agent > Rules > AV/AS Support Info)

9. When a requirement fails, click the Cancel button in the Clean Access Agent.

10. Take the resulting "event.log" file from the home directory of the current user (e.g. C:\Documents and Settings\<username>\Application Data\CiscoCAA\event.log) and send it to TAC customer support, for example:

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0804R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.